mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
Events fix (#1006)
* remove success event * remove event success message * remove events generated on clusterpolicy
This commit is contained in:
parent
e7fa601148
commit
75a7543c6d
10 changed files with 30 additions and 191 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -8,3 +8,4 @@ coverage.txt
|
||||||
cmd/initContainer/kyvernopre
|
cmd/initContainer/kyvernopre
|
||||||
cmd/kyverno/kyverno
|
cmd/kyverno/kyverno
|
||||||
cmd/cli/kubectl-kyverno/kyverno
|
cmd/cli/kubectl-kyverno/kyverno
|
||||||
|
kubectl-kyverno
|
||||||
|
|
|
@ -9,8 +9,9 @@ import (
|
||||||
|
|
||||||
func TestPositive(t *testing.T) {
|
func TestPositive(t *testing.T) {
|
||||||
resourceName := "test_resource"
|
resourceName := "test_resource"
|
||||||
expectedMsg := fmt.Sprintf("Policy applied successfully on the resource '%s'", resourceName)
|
ruleName := "test_rule"
|
||||||
msg, err := getEventMsg(SPolicyApply, resourceName)
|
expectedMsg := fmt.Sprintf("Rule(s) '%s' failed to apply on resource %s", ruleName, resourceName)
|
||||||
|
msg, err := getEventMsg(FPolicyApplyFailed, ruleName, resourceName)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
assert.Equal(t, expectedMsg, msg)
|
assert.Equal(t, expectedMsg, msg)
|
||||||
}
|
}
|
||||||
|
@ -18,6 +19,6 @@ func TestPositive(t *testing.T) {
|
||||||
// passing incorrect args
|
// passing incorrect args
|
||||||
func TestIncorrectArgs(t *testing.T) {
|
func TestIncorrectArgs(t *testing.T) {
|
||||||
resourceName := "test_resource"
|
resourceName := "test_resource"
|
||||||
_, err := getEventMsg(SPolicyApply, resourceName, "extra_args")
|
_, err := getEventMsg(FPolicyApplyFailed, resourceName, "extra_args1", "extra_args2")
|
||||||
assert.Error(t, err, "message expects 1 arguments, but 2 arguments passed")
|
assert.Error(t, err, "message expects 2 arguments, but 3 arguments passed")
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
package event
|
package event
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/go-logr/logr"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-logr/logr"
|
||||||
|
|
||||||
"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
|
"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
|
||||||
kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||||
kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
|
kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
|
||||||
|
@ -192,9 +193,6 @@ func (gen *Generator) syncHandler(key Info) error {
|
||||||
|
|
||||||
// set the event type based on reason
|
// set the event type based on reason
|
||||||
eventType := v1.EventTypeWarning
|
eventType := v1.EventTypeWarning
|
||||||
if key.Reason == PolicyApplied.String() {
|
|
||||||
eventType = v1.EventTypeNormal
|
|
||||||
}
|
|
||||||
|
|
||||||
// based on the source of event generation, use different event recorders
|
// based on the source of event generation, use different event recorders
|
||||||
switch key.Source {
|
switch key.Source {
|
||||||
|
|
|
@ -10,11 +10,7 @@ type MsgKey int
|
||||||
|
|
||||||
//Message id for pre-defined messages
|
//Message id for pre-defined messages
|
||||||
const (
|
const (
|
||||||
FResourcePolcy MsgKey = iota
|
FPolicyApplyBlockCreate MsgKey = iota
|
||||||
FProcessRule
|
|
||||||
SPolicyApply
|
|
||||||
SRulesApply
|
|
||||||
FPolicyApplyBlockCreate
|
|
||||||
FPolicyApplyBlockUpdate
|
FPolicyApplyBlockUpdate
|
||||||
FPolicyBlockResourceUpdate
|
FPolicyBlockResourceUpdate
|
||||||
FPolicyApplyFailed
|
FPolicyApplyFailed
|
||||||
|
@ -23,10 +19,6 @@ const (
|
||||||
|
|
||||||
func (k MsgKey) String() string {
|
func (k MsgKey) String() string {
|
||||||
return [...]string{
|
return [...]string{
|
||||||
"Policy violation on resource '%s'. The rule(s) '%s' not satisfied",
|
|
||||||
"Failed to process rule '%s' of policy '%s'.",
|
|
||||||
"Policy applied successfully on the resource '%s'",
|
|
||||||
"Rule(s) '%s' of Policy '%s' applied successfully",
|
|
||||||
"Resource %s creation blocked by rule(s) %s",
|
"Resource %s creation blocked by rule(s) %s",
|
||||||
"Rule(s) '%s' of policy '%s' blocked update of the resource",
|
"Rule(s) '%s' of policy '%s' blocked update of the resource",
|
||||||
"Resource %s update blocked by rule(s) %s",
|
"Resource %s update blocked by rule(s) %s",
|
||||||
|
|
|
@ -6,8 +6,6 @@ type Reason int
|
||||||
const (
|
const (
|
||||||
//PolicyViolation there is a violation of policy
|
//PolicyViolation there is a violation of policy
|
||||||
PolicyViolation Reason = iota
|
PolicyViolation Reason = iota
|
||||||
//PolicyApplied policy applied
|
|
||||||
PolicyApplied
|
|
||||||
//RequestBlocked the request to create/update the resource was blocked( generated from admission-controller)
|
//RequestBlocked the request to create/update the resource was blocked( generated from admission-controller)
|
||||||
RequestBlocked
|
RequestBlocked
|
||||||
//PolicyFailed policy failed
|
//PolicyFailed policy failed
|
||||||
|
@ -17,7 +15,6 @@ const (
|
||||||
func (r Reason) String() string {
|
func (r Reason) String() string {
|
||||||
return [...]string{
|
return [...]string{
|
||||||
"PolicyViolation",
|
"PolicyViolation",
|
||||||
"PolicyApplied",
|
|
||||||
"RequestBlocked",
|
"RequestBlocked",
|
||||||
"PolicyFailed",
|
"PolicyFailed",
|
||||||
}[r]
|
}[r]
|
||||||
|
|
|
@ -22,6 +22,7 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
|
||||||
var err error
|
var err error
|
||||||
var resource *unstructured.Unstructured
|
var resource *unstructured.Unstructured
|
||||||
var genResources []kyverno.ResourceSpec
|
var genResources []kyverno.ResourceSpec
|
||||||
|
|
||||||
// 1 - Check if the resource exists
|
// 1 - Check if the resource exists
|
||||||
resource, err = getResource(c.client, gr.Spec.Resource)
|
resource, err = getResource(c.client, gr.Spec.Resource)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -29,10 +30,14 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
|
||||||
logger.Error(err, "resource does not exist or is yet to be created, requeueing")
|
logger.Error(err, "resource does not exist or is yet to be created, requeueing")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2 - Apply the generate policy on the resource
|
// 2 - Apply the generate policy on the resource
|
||||||
genResources, err = c.applyGenerate(*resource, *gr)
|
genResources, err = c.applyGenerate(*resource, *gr)
|
||||||
|
|
||||||
// 3 - Report Events
|
// 3 - Report Events
|
||||||
reportEvents(logger, err, c.eventGen, *gr, *resource)
|
events := failedEvents(err, *gr, *resource)
|
||||||
|
c.eventGen.Add(events...)
|
||||||
|
|
||||||
// 4 - Update Status
|
// 4 - Update Status
|
||||||
return updateStatus(c.statusControl, *gr, err, genResources)
|
return updateStatus(c.statusControl, *gr, err, genResources)
|
||||||
}
|
}
|
||||||
|
@ -47,16 +52,16 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
|
||||||
policy, err := c.pLister.Get(gr.Spec.Policy)
|
policy, err := c.pLister.Get(gr.Spec.Policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if apierrors.IsNotFound(err) {
|
if apierrors.IsNotFound(err) {
|
||||||
for _,e := range gr.Status.GeneratedResources {
|
for _, e := range gr.Status.GeneratedResources {
|
||||||
resp, err := c.client.GetResource(e.Kind,e.Namespace,e.Name);
|
resp, err := c.client.GetResource(e.Kind, e.Namespace, e.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err,"Generated resource failed to get","Resource",e.Name)
|
logger.Error(err, "Generated resource failed to get", "Resource", e.Name)
|
||||||
}
|
}
|
||||||
|
|
||||||
labels := resp.GetLabels()
|
labels := resp.GetLabels()
|
||||||
if labels["policy.kyverno.io/synchronize"] == "enable" {
|
if labels["policy.kyverno.io/synchronize"] == "enable" {
|
||||||
if err := c.client.DeleteResource(resp.GetKind(), resp.GetNamespace(), resp.GetName(), false); err != nil {
|
if err := c.client.DeleteResource(resp.GetKind(), resp.GetNamespace(), resp.GetName(), false); err != nil {
|
||||||
logger.Error(err,"Generated resource is not deleted","Resource",e.Name)
|
logger.Error(err, "Generated resource is not deleted", "Resource", e.Name)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -135,7 +140,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.P
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
startTime := time.Now()
|
startTime := time.Now()
|
||||||
genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting,policy.Name)
|
genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting, policy.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -192,7 +197,7 @@ func updateGenerateExecutionTime(newTime time.Duration, oldAverageTimeString str
|
||||||
return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
|
return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
|
||||||
}
|
}
|
||||||
|
|
||||||
func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool,policy string) (kyverno.ResourceSpec, error) {
|
func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool, policy string) (kyverno.ResourceSpec, error) {
|
||||||
var rdata map[string]interface{}
|
var rdata map[string]interface{}
|
||||||
var err error
|
var err error
|
||||||
var mode ResourceMode
|
var mode ResourceMode
|
||||||
|
|
|
@ -3,38 +3,13 @@ package generate
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
|
||||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||||
"github.com/nirmata/kyverno/pkg/event"
|
"github.com/nirmata/kyverno/pkg/event"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||||
)
|
)
|
||||||
|
|
||||||
func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
|
|
||||||
if err == nil {
|
|
||||||
// Success Events
|
|
||||||
// - resource -> policy rule applied successfully
|
|
||||||
// - policy -> rule successfully applied on resource
|
|
||||||
events := successEvents(gr, resource)
|
|
||||||
eventGen.Add(events...)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
events := failedEvents(err, gr, resource)
|
|
||||||
eventGen.Add(events...)
|
|
||||||
}
|
|
||||||
|
|
||||||
func failedEvents(err error, gr kyverno.GenerateRequest, resource unstructured.Unstructured) []event.Info {
|
func failedEvents(err error, gr kyverno.GenerateRequest, resource unstructured.Unstructured) []event.Info {
|
||||||
var events []event.Info
|
|
||||||
// Cluster Policy
|
|
||||||
pe := event.Info{}
|
|
||||||
pe.Kind = "ClusterPolicy"
|
|
||||||
// cluserwide-resource
|
|
||||||
pe.Name = gr.Spec.Policy
|
|
||||||
pe.Reason = event.PolicyFailed.String()
|
|
||||||
pe.Source = event.GeneratePolicyController
|
|
||||||
pe.Message = fmt.Sprintf("policy failed to apply on resource %s/%s/%s: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), err)
|
|
||||||
events = append(events, pe)
|
|
||||||
|
|
||||||
// Resource
|
|
||||||
re := event.Info{}
|
re := event.Info{}
|
||||||
re.Kind = resource.GetKind()
|
re.Kind = resource.GetKind()
|
||||||
re.Namespace = resource.GetNamespace()
|
re.Namespace = resource.GetNamespace()
|
||||||
|
@ -42,32 +17,6 @@ func failedEvents(err error, gr kyverno.GenerateRequest, resource unstructured.U
|
||||||
re.Reason = event.PolicyFailed.String()
|
re.Reason = event.PolicyFailed.String()
|
||||||
re.Source = event.GeneratePolicyController
|
re.Source = event.GeneratePolicyController
|
||||||
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Spec.Policy, err)
|
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Spec.Policy, err)
|
||||||
events = append(events, re)
|
|
||||||
|
|
||||||
return events
|
return []event.Info{re}
|
||||||
}
|
|
||||||
|
|
||||||
func successEvents(gr kyverno.GenerateRequest, resource unstructured.Unstructured) []event.Info {
|
|
||||||
var events []event.Info
|
|
||||||
// Cluster Policy
|
|
||||||
pe := event.Info{}
|
|
||||||
pe.Kind = "ClusterPolicy"
|
|
||||||
// clusterwide-resource
|
|
||||||
pe.Name = gr.Spec.Policy
|
|
||||||
pe.Reason = event.PolicyApplied.String()
|
|
||||||
pe.Source = event.GeneratePolicyController
|
|
||||||
pe.Message = fmt.Sprintf("applied successfully on resource %s/%s/%s", resource.GetKind(), resource.GetNamespace(), resource.GetName())
|
|
||||||
events = append(events, pe)
|
|
||||||
|
|
||||||
// Resource
|
|
||||||
re := event.Info{}
|
|
||||||
re.Kind = resource.GetKind()
|
|
||||||
re.Namespace = resource.GetNamespace()
|
|
||||||
re.Name = resource.GetName()
|
|
||||||
re.Reason = event.PolicyApplied.String()
|
|
||||||
re.Source = event.GeneratePolicyController
|
|
||||||
re.Message = fmt.Sprintf("policy %s successfully applied", gr.Spec.Policy)
|
|
||||||
events = append(events, re)
|
|
||||||
|
|
||||||
return events
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,9 +42,11 @@ func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
|
func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
|
||||||
logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
|
|
||||||
var eventInfos []event.Info
|
var eventInfos []event.Info
|
||||||
|
|
||||||
|
logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
|
||||||
logger.V(4).Info("reporting results for policy")
|
logger.V(4).Info("reporting results for policy")
|
||||||
|
|
||||||
for _, rule := range er.PolicyResponse.Rules {
|
for _, rule := range er.PolicyResponse.Rules {
|
||||||
if rule.Success {
|
if rule.Success {
|
||||||
continue
|
continue
|
||||||
|
@ -57,22 +59,9 @@ func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.In
|
||||||
e.Name = er.PolicyResponse.Resource.Name
|
e.Name = er.PolicyResponse.Resource.Name
|
||||||
e.Reason = event.PolicyViolation.String()
|
e.Reason = event.PolicyViolation.String()
|
||||||
e.Source = event.PolicyController
|
e.Source = event.PolicyController
|
||||||
e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
|
e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' failed. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
|
||||||
eventInfos = append(eventInfos, e)
|
eventInfos = append(eventInfos, e)
|
||||||
}
|
}
|
||||||
if er.IsSuccessful() {
|
|
||||||
return eventInfos
|
|
||||||
}
|
|
||||||
|
|
||||||
// generate a event on policy for all failed rules
|
|
||||||
logger.V(4).Info("generating event on policy")
|
|
||||||
e := event.Info{}
|
|
||||||
e.Kind = "ClusterPolicy"
|
|
||||||
e.Namespace = ""
|
|
||||||
e.Name = er.PolicyResponse.Policy
|
|
||||||
e.Reason = event.PolicyViolation.String()
|
|
||||||
e.Source = event.PolicyController
|
|
||||||
e.Message = fmt.Sprintf("policy '%s' rules '%v' not satisfied on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
|
|
||||||
eventInfos = append(eventInfos, e)
|
|
||||||
return eventInfos
|
return eventInfos
|
||||||
}
|
}
|
||||||
|
|
|
@ -189,18 +189,6 @@ func (resp generateRequestResponse) error() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func failedEvents(err error, gr kyverno.GenerateRequestSpec, resource unstructured.Unstructured) []event.Info {
|
func failedEvents(err error, gr kyverno.GenerateRequestSpec, resource unstructured.Unstructured) []event.Info {
|
||||||
var events []event.Info
|
|
||||||
// Cluster Policy
|
|
||||||
pe := event.Info{}
|
|
||||||
pe.Kind = "ClusterPolicy"
|
|
||||||
// cluserwide-resource
|
|
||||||
pe.Name = gr.Policy
|
|
||||||
pe.Reason = event.PolicyFailed.String()
|
|
||||||
pe.Source = event.GeneratePolicyController
|
|
||||||
pe.Message = fmt.Sprintf("policy failed to apply on resource %s/%s/%s: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), err)
|
|
||||||
events = append(events, pe)
|
|
||||||
|
|
||||||
// Resource
|
|
||||||
re := event.Info{}
|
re := event.Info{}
|
||||||
re.Kind = resource.GetKind()
|
re.Kind = resource.GetKind()
|
||||||
re.Namespace = resource.GetNamespace()
|
re.Namespace = resource.GetNamespace()
|
||||||
|
@ -208,7 +196,6 @@ func failedEvents(err error, gr kyverno.GenerateRequestSpec, resource unstructur
|
||||||
re.Reason = event.PolicyFailed.String()
|
re.Reason = event.PolicyFailed.String()
|
||||||
re.Source = event.GeneratePolicyController
|
re.Source = event.GeneratePolicyController
|
||||||
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Policy, err)
|
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Policy, err)
|
||||||
events = append(events, re)
|
|
||||||
|
|
||||||
return events
|
return []event.Info{re}
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,8 +4,6 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
|
||||||
"github.com/nirmata/kyverno/pkg/common"
|
|
||||||
"github.com/nirmata/kyverno/pkg/engine/response"
|
"github.com/nirmata/kyverno/pkg/engine/response"
|
||||||
|
|
||||||
"github.com/nirmata/kyverno/pkg/event"
|
"github.com/nirmata/kyverno/pkg/event"
|
||||||
|
@ -14,101 +12,23 @@ import (
|
||||||
//generateEvents generates event info for the engine responses
|
//generateEvents generates event info for the engine responses
|
||||||
func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
|
func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
|
||||||
var events []event.Info
|
var events []event.Info
|
||||||
// Scenario 1
|
|
||||||
// - Admission-Response is SUCCESS && CREATE
|
|
||||||
// - All policies were succesfully
|
|
||||||
// - report event on resources
|
|
||||||
if isResponseSuccesful(engineResponses) {
|
|
||||||
if !onUpdate {
|
|
||||||
// we only report events on CREATE requests
|
|
||||||
return events
|
|
||||||
}
|
|
||||||
for _, er := range engineResponses {
|
|
||||||
successRules := er.GetSuccessRules()
|
|
||||||
successRulesStr := strings.Join(successRules, ";")
|
|
||||||
// event on resource
|
|
||||||
e := event.NewEvent(
|
|
||||||
log,
|
|
||||||
er.PolicyResponse.Resource.Kind,
|
|
||||||
er.PolicyResponse.Resource.APIVersion,
|
|
||||||
er.PolicyResponse.Resource.Namespace,
|
|
||||||
er.PolicyResponse.Resource.Name,
|
|
||||||
event.PolicyApplied.String(),
|
|
||||||
event.AdmissionController,
|
|
||||||
event.SRulesApply,
|
|
||||||
successRulesStr,
|
|
||||||
er.PolicyResponse.Policy,
|
|
||||||
)
|
|
||||||
events = append(events, e)
|
|
||||||
}
|
|
||||||
return events
|
|
||||||
}
|
|
||||||
|
|
||||||
// Scneario 2
|
|
||||||
// - Admission-Response is BLOCKED
|
|
||||||
// - report event of policy is in enforce mode and failed to apply
|
|
||||||
if blocked {
|
|
||||||
for _, er := range engineResponses {
|
|
||||||
if er.IsSuccessful() {
|
|
||||||
// do not create event on polices that were succesfuly
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if er.PolicyResponse.ValidationFailureAction != common.Enforce {
|
|
||||||
// do not create event on "audit" policy
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
// Rules that failed
|
|
||||||
failedRules := er.GetFailedRules()
|
|
||||||
filedRulesStr := strings.Join(failedRules, ";")
|
|
||||||
// Event on Policy
|
|
||||||
e := event.NewEvent(
|
|
||||||
log,
|
|
||||||
"ClusterPolicy",
|
|
||||||
kyverno.SchemeGroupVersion.String(),
|
|
||||||
"",
|
|
||||||
er.PolicyResponse.Policy,
|
|
||||||
event.RequestBlocked.String(),
|
|
||||||
event.AdmissionController,
|
|
||||||
event.FPolicyBlockResourceUpdate,
|
|
||||||
er.PolicyResponse.Resource.GetKey(),
|
|
||||||
filedRulesStr,
|
|
||||||
)
|
|
||||||
events = append(events, e)
|
|
||||||
}
|
|
||||||
return events
|
|
||||||
}
|
|
||||||
|
|
||||||
// Scenario 3
|
|
||||||
// - Admission-Response is SUCCESS
|
// - Admission-Response is SUCCESS
|
||||||
// - Some/All policies failed (policy violations generated)
|
// - Some/All policies failed (policy violations generated)
|
||||||
// - report event on policy that failed
|
|
||||||
// - report event on resource that failed
|
// - report event on resource that failed
|
||||||
|
|
||||||
for _, er := range engineResponses {
|
for _, er := range engineResponses {
|
||||||
if er.IsSuccessful() {
|
if er.IsSuccessful() {
|
||||||
// do not create event on polices that were succesfuly
|
// do not create event on rules that were succesful
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
// Rules that failed
|
// Rules that failed
|
||||||
failedRules := er.GetFailedRules()
|
failedRules := er.GetFailedRules()
|
||||||
filedRulesStr := strings.Join(failedRules, ";")
|
filedRulesStr := strings.Join(failedRules, ";")
|
||||||
// Event on the policy
|
|
||||||
e := event.NewEvent(
|
|
||||||
log,
|
|
||||||
"ClusterPolicy",
|
|
||||||
kyverno.SchemeGroupVersion.String(),
|
|
||||||
"",
|
|
||||||
er.PolicyResponse.Policy,
|
|
||||||
event.PolicyFailed.String(),
|
|
||||||
event.AdmissionController,
|
|
||||||
event.FPolicyApplyFailed,
|
|
||||||
filedRulesStr,
|
|
||||||
er.PolicyResponse.Resource.GetKey(),
|
|
||||||
)
|
|
||||||
events = append(events, e)
|
|
||||||
// Event on the resource
|
// Event on the resource
|
||||||
// event on resource
|
// event on resource
|
||||||
e = event.NewEvent(
|
e := event.NewEvent(
|
||||||
log,
|
log,
|
||||||
er.PolicyResponse.Resource.Kind,
|
er.PolicyResponse.Resource.Kind,
|
||||||
er.PolicyResponse.Resource.APIVersion,
|
er.PolicyResponse.Resource.APIVersion,
|
||||||
|
|
Loading…
Add table
Reference in a new issue